RFC-2867 RADIUS Tunnel Accounting

The RFC-2867 RADIUS Tunnel Accounting introduces six new RADIUS accounting types that are used with the RADIUS accounting attribute Acct-Status-Type (attribute 40), which indicates whether an accounting request marks the beginning of user service (start) or the end (stop).

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for RFC-2867 RADIUS Tunnel Accounting

RADIUS tunnel accounting works only with L2TP tunnel support.

Information About RFC-2867 RADIUS Tunnel Accounting

Benefits of RFC-2867 RADIUS Tunnel Accounting

Without RADIUS tunnel accounting support, VPDN with network accounting, which allows users to determine tunnel-link status changes, did not report all possible attributes to the accounting record file. Now that all possible attributes can be displayed, users can better verify accounting records with their Internet Service Providers (ISPs).

RADIUS Attributes Support for RADIUS Tunnel Accounting

The table below outlines the new RADIUS accounting types that are designed to support the provision of compulsory tunneling in dialup networks; that is, these attribute types allow you to better track tunnel status changes.

Note

The accounting types are divided into two separate tunnel types so users can decide if they want tunnel type, tunnel-link type, or both types of accounting.

Marks the creation of a tunnel link. Only some tunnel types (Layer 2 Transport Protocol [L2TP]) support the multiple links per tunnel; this value should be included only in accounting packets for tunnel types that support multiple links per tunnel.

User-Name (1)--from client

NAS-IP-Address (4)--from AAA

NAS-Port (5)--from AAA

Acct-Delay-Time (41)--from AAA

Event-Timestamp (55)--from AAA

Tunnel-Type (64)--from client

Tunnel-Medium-Type (65)--from client

Tunnel-Client-Endpoint (66)--from client

Tunnel-Server-Endpoint (67)--from client

Acct-Tunnel-Connection (68)--from client

Tunnel-Link-Stop

13

Marks the end of a tunnel link. Only some tunnel types (L2TP) support the multiple links per tunnel; this value should be included only in accounting packets for tunnel types that support multiple links per tunnel.

User-Name (1)--from client

NAS-IP-Address (4)--from AAA

NAS-Port (5)--from AAA

Acct-Delay-Time (41)--from AAA

Acct-Input-Octets (42)--from AAA

Acct-Output-Octets (43)--from AAA

Acct-Session-Id (44)--from AAA

Acct-Session-Time (46)--from AAA

Acct-Input-Packets (47)--from AAA

Acct-Output-Packets (48)--from AAA

Acct-Terminate-Cause (49)--from AAA

Acct-Multi-Session-Id (51)--from AAA

Event-Timestamp (55)--from AAA

NAS-Port-Type (61)--from AAA

Tunnel-Type (64)--from client

Tunnel-Medium-Type (65)--from client

Tunnel-Client-Endpoint (66)--from client

Tunnel-Server-Endpoint (67)--from client

Acct-Tunnel-Connection (68)--from client

Acct-Tunnel-Packets-Lost (86)--from client

Tunnel-Link-Reject

14

Marks the rejection of a tunnel setup for a new link in an existing tunnel. Only some tunnel types (L2TP) support the multiple links per tunnel; this value should be included only in accounting packets for tunnel types that support multiple links per tunnel.

User-Name (1)--from client

NAS-IP-Address (4)--from AAA

Acct-Delay-Time (41)--from AAA

Acct-Terminate-Cause (49)--from AAA

Event-Timestamp (55)--from AAA

Tunnel-Type (64)--from client

Tunnel-Medium-Type (65)--from client

Tunnel-Client-Endpoint (66)--from client

Tunnel-Server-Endpoint (67)--from client

Acct-Tunnel-Connection (68)--from client

1 If the specified tunnel type is used, these attributes should also be included in the accounting request packet.

How to Configure RADIUS Tunnel Accounting

Enabling Tunnel Type Accounting Records

Use this task to configure your LAC to send tunnel and tunnel-link accounting records to be sent to the RADIUS server.

Two new command line interfaces (CLIs)--vpdn session accounting network(tunnel-link-type records)and vpdn tunnel accounting network(tunnel-type records) --are supported to help identify the following events:

A VPDN tunnel is brought up or destroyed

A request to create a VPDN tunnel is rejected

A user session within a VPDN tunnel is brought up or brought down

A user session create request is rejected

Note

The first two events are tunnel-type accounting records: authentication, authorization, and accounting (AAA) sends Tunnel-Start, Tunnel-Stop, or Tunnel-Reject accounting records to the RADIUS server. The next two events are tunnel-link-type accounting records: AAA sends Tunnel-Link-Start, Tunnel-Link-Stop, or Tunnel-Link-Reject accounting records to the RADIUS server.

default--If the default network accounting method-list is configured and no additional accounting configurations are enabled on the interface, network accounting is enabled by default.

If either the vpdnsessionaccountingnetwork command or the vpdntunnelaccountingnetwork command is linked to the default method-list, all tunnel and tunnel-link accounting records are enabled for those sessions.

list-name--The list-namedefined in the aaaaccountingcommand must be the same as the list-name defined in the VPDN command; otherwise, accounting will not occur.

Step 4

Router(config)# vpdnenable

Example:

Router(config)# vpdn enable

Enables virtual private dialup networking on the router and informs the router to look for tunnel definitions in a local database and on a remote authorization server (if applicable).

RFCs

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

Feature Information for RFC-2867 RADIUS Tunnel Accounting

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Table 2 Feature Information for RFC-2867 RADIUS Tunnel Accounting

Feature Name

Releases

Feature Information

RFC-2867 RADIUS Tunnel Accounting

Cisco IOS XE Release 2.1

The RFC-2867 RADIUS Tunnel Accounting introduces six new RADIUS accounting types that are used with the RADIUS accounting attribute Acct-Status-Type (attribute 40), which indicates whether an accounting request marks the beginning of user service (start) or the end (stop).